JumpCloud: “nation-state sponsored threat actor gained unauthorized access to our systems.”

JumpCloud announced that its systems were breached in a sophisticated attack conducted by a state-sponsored threat actor. “On June 27 at 15:13 UTC we discovered anomalous activity on an internal orchestration system which we traced back to a sophisticated spear-phishing campaign perpetrated by the threat actor on June 22. That activity included unauthorized access to a specific area of our infrastructure. We did not see evidence of customer impact at that time. Out of an abundance of caution, we rotated credentials, rebuilt infrastructure, and took a number of other actions to further secure our network and perimeter. Additionally, we activated our prepared incident response plan and worked with our Incident Response (IR) partner to analyze all systems and logs for potential activity. It was also at this time, as part of our IR plan, that we contacted and engaged law enforcement in our investigation.” 

Investigation continues; attribution isn't clear.

The company is convinced the attack was sponsored by a nation-state, but JumpCloud is unsure which state was behind the attack. 

In further forensic investigation Jumcloud discovered further unauthorized activity in the form of “unusual activity in the commands framework for a small set of customers.” In response, JumpCloud performed a force-rotation of all of the admin API keys on July 5th, the same day the unusual activity was discovered. Ars Technica explains, JumpCloud hosts a user base of over 200,000 organizations with 5,000 paying customers including Cars.com, GoFundMe, and Foursquare. 

The attack was targeted and very narrow.

JumpCloud explained that the attack vector is believed to be data injection into the command network, which resulted in extremely precise targeting of specific customers. BleepingComputer writes that JumpCloud has yet to provide details on which customers were targeted. This is likely to protect the potential victims for privacy reasons. JumpCloud concluded its statement with discussion of the attack’s sophistication: 

“These are sophisticated and persistent adversaries with advanced capabilities. Our strongest line of defense is through information sharing and collaboration. That’s why it was important to us to share the details of this incident and help our partners to secure their own environments against this threat. We will continue to enhance our own security measures to protect our customers from future threats and will work closely with our government and industry partners to share information related to this threat. If you are a customer with additional questions on this incident, please submit a support ticket in your admin console or reach out to your account manager.”

Industry comments on this form of third-party risk.

Industry experts have weighed in on the attack. Dror Liwer, co-founder of cybersecurity company Coro, observes that threat actors are benefiting from innovations in automation. “With automated tools, we see a significant decrease in dwell time which allows organizations to minimize the exposure and potential damage resulting from a breach. The race to identify, contain, and remediate a rolling breach is exacerbated by the attackers themselves using automated tools and AI to camouflage their entry point and lateral movement within the impacted platforms.”

Erich Kron, security awareness advocate at KnowBe4, took note that the compromise began with phishing. “Like so many other attacks, this one was the result of a successful email phishing campaign,” he wrote. “Even technically advanced organizations, and those familiar with working in software, can still be victimized by something as simple as phishing, if they’re not careful. Organizations of any size, and in any industry, should ensure they are using a high-quality and well-implemented employee, education and training program to ensure their employees are learning, better security hygiene and behaviors, and can quickly spot and report email phishing campaigns to their security team.”

JumpCloud may stop short of attribution, but some in industry think signs point, circumstantially, to China. Tom Kellermann, SVP of cyber strategy at Contrast Security, compares cloud jacking to colonialism. “Chinese cyberspies have adopted cloud jacking for the purposes of island hopping. Given this modern colonialization, Cloud service providers must enhance their cybersecurity posture through investing in API security and serverless security solutions.”